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Abstract 

Over the past three years, California State University, Bakersfield received NSF funding 
to support hands-on explorations in network security and cryptography through Research 
Experience Vitalizing Science -University Program (REVS-UP). In addition to the summer 
bridge component, the grant included development of Multidisciplinary Information Assurance 
Curriculum at the undergraduate level and offered Information Assurance (IA) education for 
community members. In this summative report, a Results-Based Accountability (RBA) model 
is employed to examine six research questions: (1) How much has been done in the delivery of 
REVS-UP learning opportunities for high school students during the four-week summer 
sessions? (2) What strengths did the project demonstrate to support IA education? (3) What is 
the program impact on key stakeholders? (4) How much has been done through the 
Dissemination Workshop for K-12 teachers? (5) How well did the program perform in the 
service delivery? (6) Is anyone better off due to this outreach effort? To sustain the program 
improvement, qualitative and quantitative data are triangulated to assess what works, for whom, 
and in which context under a Context, Input, Process, and Product (CIPP) paradigm. The report 
concludes with a Future Direction section to examine the program setting on the REVS-UP 


platform. 
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Models for Information Assurance Education and Outreach: 

Year 3 and Summative Report 

As the society rushes to embrace technology development in cyberspace, demands on 
Information Assurance (IA) education have been strengthened to cope with network safety and 
computer vulnerability. With three-year funding from NSF, “Models for Information Assurance 
Education and Outreach” (MIAEO) is designed to combine research exploration, community 
outreach, and program development for key stakeholders of IA education. The first two 
components involve high school students, K-12 teachers, and community members to strengthen 
capacity building in the general public. The third component represents an innovative approach 
within California State University, Bakersfield (CSUB) to develop a broad-based, hands-on IA 
curriculum beyond existing programs in Computer Science, Mathematics, and Globed 
Intelligence and National Security. Altogether MIAEO has addressed dual foci of the 
CyberCorps: Scholarship for Service program, i.e., support cybersecurity education and 
workforce development (NSF, 2014). 

Evaluation reports for first two years of the grant operation have been reviewed and 
disseminated by the Education Resource Information Center of U.S. Department of Education 
( http://files.eric.ed.gov/fulltext/ED545559.pdf & http://files.eric.ed.gov/fulltext/ED546861.pdD . 
During the third year, three adjustments have been made in MIAEO to adapt to contextual 
changes within the local setting: 

1. The research exploration component used to include both high school students and K-12 
teachers under a platform of Research Experience Vitalizing Sciences - University 
Program (REVS-UP). In addition to IA education, REVS-UP concurrently uses funding 
from the Chevron Cooperation to support hands-on, research explorations in other STEM 




5 


fields. Due to decrease of the Chevron funding, no K-12 teachers were invited to 
participate in REVS-UP in 2015. To conform to this REVS-UP adjustment, the IRB 
protocol for MIAEO has been revised to eliminate teacher data collection from the four- 
week summer session. 

2. The community outreach component was expanded using the budget surplus from scaling 
down the REVS-UP operation. In 2014, a total of 22 community members took part in a 
Dissemination Workshop. In 2015, the attendee pool was expanded to 30, including 15 
teachers from last year and 15 new teachers this year. Additional data are gathered from 
teachers to assess the workshop impact on enhancement of IA education in K-12 school 
settings. 

3. The program development component was initiated in the first year, and has completed 
curriculum approval in the second year. Meanwhile, new Knowledge Units were 
stipulated by the National Security Agency and Department of Homeland Security (2013) 
for Centers of Academic Excellence in Cyber Defense/Information Assurance Education 
(CAE-CD). In preparing for CSUB transition to a semester system in 2016, minor 
revisions are needed in 2015 to strengthen curriculum alignment with the new 
Knowledge Units for CAE-CD. 

While the program development component is pending on the upcoming transition to a 
semester system, this summative report primarily addresses the first two components of MIAEO 
that have added outcome data in the third year. In this final evaluation report, assessment of 
program effectiveness is not only grounded on a review of the aggregated results from the past 
evidence, but also supported by analyses of new empirical data that have never been released 


before. 
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Literature Review 

Although summative reports are expected to justify accountability of program funding, 
Tom Angelo (1999), former director of the national assessment forum, maintained, “Though 
accountability matters, learning still matters most” (]j. 1). In this regard, Sloane (2008) 
advocated that “We change the basic research question from what works to what works for 
whom and in what contexts” (p. 43). Instead of delimiting the evaluation effort on "what 
works", a Context, Input, Process, and Product (CIPP) paradigm is adopted in this report to 
sustain the mechanism of program learning. 

Researchers noted that “The CIPP evaluation model belongs in the improvement/ 
accountability category” (Zhang et al. 2011, p. 59). It was initially conceptualized in the mid- 
1960s for evaluating federal grants (see Stufflebeam, 1983). This theoretical framework matured 
during development of national evaluation standards over the past four decades (Program 
Evaluation Standards, 2010). The standards have been approved by the American National 
Standards Institute (ANSI) and sponsored by 17 North American professional organizations 
(Yarbrough, Shulha, Hopson, & Caruthers, 2010). In this section, literature review is guided on 
the CIPP platform to support evaluation of the MIAEO program. 

It was highlighted in the MIAEO proposal that "California State University, Bakersfield 
(CSUB) has made great strides in improving educational opportunities for underrepresented 
minorities and women" (see Project Summary for Grant No. DUE - 1241636). In this service 
region, Bakersfield has surpassed the population size of well-known cities like St. Louis and 
Kem County covers a land area as large as the state of New Jersey (Wang, 2014). More 
importantly, Kern County has been ranked as one of the lowest regions in adult education across 
the United States (Brookings Institution, 2010), and Bakersfield was ranked as one of the least 
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educated metropolitan areas in the nation (Zumbrun, 2008). CSUB is the only public university 
within a radius of two-hour driving in all directions. Hence, community outreach plays an 
important role in enhancing IA education under this context. 

Below the college level, two schools from Kem County were ranked among the worst 10 
schools in California (see http://www.schooldigger.com/go/CA/schoolrank.aspx?pagetype= 
bottomlO). Studies across the nation confirmed strong needs to strengthen learning experiences 
in STEM education, particularly at high-needs schools (National Center for Educational 
Statistics, 2006). MIAEO offered concurrent enrollments for high school students to conduct 
hands-on research in the IA fields during a four-week summer session. The early engagement 
has demonstrated potential to support school-to-college transition. As Pittaoulis (2012) noted, "it 
is understandable that a sense that college is 'the logical' or 'next step' after high school may 
develop" (p. 107). Thus, another outcome measure of MIAEO is reflected by the enhancement 
of individual commitment to higher education. 

The local context inevitably impacts development of student attributes toward STEM 
education. Bottia et al. (2015) revealed that "STEM experiences of inspiration/reinforcement/ 
preparation during high school interact with demographic variables to moderate students' interest 
in STEM" (p. 1). As a new field, IA education is closely related to the reinforcement of STEM 
inspiration (Portman, 2006). Hence, consideration has been given to the input factor as indicated 
by student demographic backgrounds at the program entry. 

To enhance the equity of school-based learning, a new challenge is to attract more 
students, particularly females, in STEM fields. After entering the 21 st century, the National 
Women's Law Center (2005) reported that "more than 30 years after Congress outlawed sex 
discrimination in education, the gender divide in career and technical education (CTE) has 
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narrowed barely at all" (p. 2). While MIAEO was designed to guide student pursuit of careers in 
IA fields, it was acknowledged in the research literature that "Computing has one of the worst 
gender representations of any STEM discipline” (Robelen, 2012, p. 17). 

Despite its persistency, the gender gap can be altered through an education process. At 
the high school stage, "College major choices are often made during freshman or sophomore 
year" (Pittaoulis, 2012, p. 238). The timing also overlaps with a typical transition of student 
cognitive development from a concrete operational level to a formal operational level (Neo- 
Piagetian Theories of Development, 2009). The inquiry-based learning often involved "if ... then 
..." inference and can facilitate the cognitive development. Since the Piagetian theory is not 
gender-specific, Legewie and DiPrete (2014) asserted that "these actual [learning] experiences 
will offset prior beliefs about gender differences and reduce the gender gap in interest and plans 
to study STEM fields in college" (p. 262). 

As MIAEO adds new lab-based learning opportunities, it is anticipated in the product 
phase that "The training provided by REVS-UP will lay the foundation for academic and career 
interest in information assurance at the high school level" (see Project Summary for Grant No. 
DUE - 1241636). Nonetheless, student preparation is inseparable from teacher training 
(Robelen, 2012). Liou, Kirchhoff, and Lawrenz (2010) observed that "students in high need 
schools are much more likely to be taught by unqualified teachers" (p. 453). In the field of IA 
education, few teachers were fully prepared from their credential programs. Hence, MIAEO 
includes learning experiences for teachers through a process of developing and delivering 
Dissemination Workshops. 

In summary, MIAEO not only engages high school students in IA explorations, but also 
supports teachers to "disseminate the [IA] ideas back to their classes during the school year" 



9 


(Project Summary for Grant No. DUE - 1241636). Following the CIPP paradigm, student and 
school information is incorporated in this report to examine MIAEO outcomes from the process 
of service delivery in both REVS-UP inquiries and community outreach activities. 

Research Questions 

Since publication of a well-known book, “Trying Hard Is Not Good Enough” (Friedman, 
2006), a model of Results-Based Accountability (RBA) has gained popularity in the field of 
program evaluation. Friedman (2009) noted that “The RBA framework has been used in over 40 
states and countries around the world” (p. 1). In particular, RBA is practical, asking three simple 
questions to get the most important performance measures: (1) How much did we do? (2) How 
well did we do it? (3) Is anyone better off? (see http://resultsleadership.org/what-is-results- 
based-accountability-rba/). 

Following the RBA model, parallel questions have been adduced in this report to evaluate 
the REVS-UP and community outreach components of MIAEO: 

REVS-UP 

1. How much has been done in the delivery of REVS-UP learning opportunities for high 
school students during a four-week summer session? 

2. What strengths did the MIAEO component demonstrate in IA education? 

3. What is the impact of this summer bridge program on key stakeholders? 

Community Outreach 

4. How much has been done through the Dissemination Workshop to support IA 
education for K-12 teachers? 

5. How well did the program perform in service delivery? 

6. Is anyone better off due to this outreach effort? 
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According Miklas (2014), the RBA model and the CIPP paradigm extend mutual 
reinforcement to address both aspects of funding accountability and program improvement. 
From the RBA perspective, Miklas (2014) proposed a formula, “Result = A Population + 
Geographic Area + Condition of Well Being” (p. 17), to illustrate the articulation of Context 
(geographic area), Input (population features), Process (condition of wellbeing), and Product 
(program results) under the CIPP paradigm. The alignment ensures literature-based support for 
addressing the six RBA-stipulated questions in evaluation results. 

Evaluation Findings 

To facilitate result tracking in this report, evaluation findings are categorized sequentially 
in this section to match six research questions on page 9. 

1. How much has been done in the delivery of REVS-UP learning opportunities for 

high school students during a four-week summer session? 

At end of the third year, a total of four university student assistants, four K-12 teachers, 
and 51 high school students participated in development of 14 IA research projects under the 
leadership of two CSUB professors. The involvement of university student assistants not only 
supported the lab-based inquiries, but also introduced role models for high school students to 
pursue IA education. 

Although participation of K-12 teachers was discontinued in the third year due to changes 
at the REVS-UP side, the evaluator had a chance to interviews past teacher participants. One 
mathematics teacher indicated a teaching module he developed from the REVS-UP experience to 
expand student learning opportunities at a local high school. Another teacher guided past 
students in her science classes to pursue professional careers in IA fields. The REVS-UP 
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activities have supported both curriculum development and student advising in high school 
settings. 

As part of the REVS-UP offerings at CSUB, the P.I. and Co-P.I. worked with two cohorts 
of students each year to conduct hands-on research in Computer/Network Security and 
Cryptography. Descriptions of the IA exploration were posted online: 


1. Explorations in Network Security and Vulnerability Analysis 
Advisor: Dr. Melissa Danforth 

This program focuses on several issues within information assurance and computer 
security. Basic topics will be discussed and the students will conduct introductory 
simulations and experiments relating to the topics. This year will focus on digital 
forensics and incident response, with topics such as investigating computer systems, 
analyzing disk images, analyzing network data, recovery, and response. Key focus will 
be paid to professional ethics and legal uses of security tools. 

(see https://www.csub.edu/revsup/Computer%20Science/index.html) 


2. Explorations in Number Theory and Cryptography 
Advisor: Dr. Charles Lam 

This program explores the evolution of cryptology from simple substitution ciphers to 
public-key cryptography. Students will be introduced to basic number theory, and its use 
in modem-day encryption methods. In addition, different uses of cryptography in cases 
such as authentication and digital signatures will be explored. Participants will 
investigate on weaknesses in encryption schemes using basic cryptanalysis techniques, 
(see https://www.csub.edu/revsup/Mathematics/index.html) 


Within each week, lectures and lab activities were included in a daily agenda: 

Week 1: Lecture for 1-2 hours in the morning, hands-on activities the rest of the day (Day 
1: getting used to the computer systems, Days 2-3: introducing projects, Days 3-4: 
splitting into project groups) 

Week 2: Talk about major cybersecurity compromises for an hour in the morning, break 
into sub-groups to work on projects for the rest of the day 
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Week 3: Talk for 1-2 hours in the morning, including an overview of cybersecurity 
careers; projects for the rest of the day. The afternoon of Day 4 they start to work on their 
project posters 

Week 4: Days 1-2 are all about the project posters, Day 3 is movies/documentaries about 
cybersecurity and poster presentation prep, Day 4 includes a cybersecurity movie and 
poster presentations 

Table 1 shows the Scope of Work (SOW) for the two REVS-UP research teams. 


Table 1: SOW for Two Tracks of Cyber Security Projects 



Week 1 

Week 2 

Week 3 

Week 4 

Cryptography 

Simple Substitution 
Cipher, Polyalphab etic 
Substitution Cipher, 
Euclidean Algorithm, 
Modular Arithmetic, 
Worksheets on Topics 

Fermat’s Little Theo¬ 
rem, Modular Expo¬ 
nentiation Algorithm, 
RSA Encryption Al¬ 
gorithm and Proof, 
Worksheets on Topics 

Hands-on Activi¬ 
ties, including Pro¬ 
gramming and Ex¬ 
perimentation 

Prepare Poster on 
Hands-on Activi¬ 
ties 

Computer/ 

Network 

Security 

Ethics and Legality, 
Security Concepts, 
Authentication Proto¬ 
cols, Password Hash¬ 
ing and Cracking, Us¬ 
ing Linux, Hands-on 
Activities 

Password Practices, 
Secure Authentica¬ 
tion Protocols, TCP/IP 
Networking, Network 
Attacks, Social Engi¬ 
neering, Hands-on Ac¬ 
tivities 

Malware, Access 
Control, Protecting 
Information, “Best 
Practices” for Secu¬ 
rity, More on So¬ 
cial Engineering, 
Hands-on Activities 

Prepare Poster on 
Hands-on Activi¬ 
ties, Watch Videos 
on Recent Secu¬ 
rity Topics (e.g. 
SmartTV hack, 
DefCon, etc.) 


Source: https://www.usenix.org/system/files/conference/csetl4/csetl4-paper-danforth.pdf 


In summary, the REVS-UP component has been systematically designed to expand IA 
learning opportunities for high school students during a four-week summer session. The 
mechanism was delineated by SOW each week, as well as daily lectures and lab explorations 
within a week. The lecture part was designed to conform to professional practice, and the lab 
activities supported hands-on explorations to fulfill an IA research agenda. 


2. What strengths did the MIAEO component demonstrate in IA education? 

In this summative report, strengths of MIAEO are reflected in both process and product 
phases of the service delivery. From the process perspective, MIAEO supports network 
development for students across a dozen high schools. The school background information has 
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been gathered from well-established resources, such as http://www.greatschools.org and 
http://www.schooldigger.com. The information triangulation is needed because not all schools 
have their performance data available at multiple web sites. For instance, private schools are not 
ranked according to state test scores. Thus, local community ratings are needed to assess school 
status. Network plots for the first two years were presented in the 2013 and 2014 annual reports 
(Wang, 2013; 2014). Table 2 shows the network of students across gender, ethnic, grade level, 
and school rank dimensions in the third year. According to Hanson, Guilfoy, and Pillai (2009), 
social networking is an effective approach to break gender and ethnicity barriers. The 
involvement of students at different grade levels also supports heterogeneity of the participant 
grouping for cooperative learning (Dotson, 2011). 

Table 2: Network Attributes of REVS-UP Participants 


School 

Rank* 


8 


Network of School Affiliation 


Minority 


Non-Minority 


k Student4 ^.Frontier 

iGarces 
^.Studentll -►^.Liberty. 


F Student7 

'Studentl 

'StudentlO 


Legend 
Node Color: 
Pink=Female 
Blue=Male 

Node Shape: 
Up-triangle=Sophomore 
Diamond=Junior 
Down-triangle=Senior 


6 


^Student2 -Independence 

^.BHS- ^ Student6 

^.Student9 -Ridgeview 


Student nodes are 
aligned in columns 
according to 
ethnic status; 


5 


± Audent5 



Foothill 


^.Student8 -Highland 

^Student3 -Mira_Monte 

^Studentl2 West 


School nodes are 
clustered by ratings 
from greatschools.com 
that place the best 
schools in Rank 10 and 
the worst schools in 
Rank 1 


*The school ranks were anchored by information from greatschools.org. 
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Across three years, Table 3 shows a trend comparison on gender, ethnicity, and median 
school ranks of REVS-UP participants. Consent has been obtained to support the multiyear data 
collection from 17 students in 2013, 16 students in 2014, and 12 students in 2015. 

The trend results show more of effort of MIAEO to engage students from schools with a 
lower median rank (see Table 3). In the third year, a student reported that “I want to experience 
in collaborating with other individuals to fulfill the project goal to research.” Another student 
concurred that “I expect to leam different types of mathematic problems and work with other 
people.” The results supported Harwood’s (2011) observation, i.e., academic isolation of 
adolescents was a primary issue of high-needs schools. 

Qualitative data also indicated more positive student comments on the networking part, 
such as “I liked working with others to solve the codes”, “All the time spent together with teens 
from other schools”, and “Meeting new people and knowing they have the same interest.” 
Hence, an important strength of REVS-UP hinges on the opportunity of networking beyond the 
boundary of a specific high school. 

Table 3: Background of REVS-UP Student Participants across Three Years 


Context Factors 

2013 

2014 

2015 

Proportion of female students 

47.06 

47.06 

33.33 

Proportion of minority students 

0.84 

0.78 

0.67 

Median of school ranking* 

8 

8 

5.5 


*School rankings are based on information from greatschools.org. 


In the product phase, quality of poster presentations is another indicator of REVS-UP 
strength. Contents of the first 10 presentations from 2013 and 2014 were examined in the first 
two annual evaluation reports (Wang, 2013; 2014). In the third year, four new projects have 
been completed through IA research explorations (Table 4). In the first project, students 
examined an electronic payment scheme that had potential to become currency of the future for 
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transactions among three key stakeholders, i.e., trusted third party, merchant, and customer. 
Benefits and drawbacks were investigated along with implementation of RSA-based encryptions. 
In the second project, complexity of Enigma was disentangled by a thorough analysis of possible 
configurations from a combination of different rotors, sequences, initial positions and plug 
boards for information exchanges. In the third project, students had a chance to investigate a 
“Digital Crime Scenes” project. Different tools, such as virtual machines, live CDs, Sleuthkit, 
WinHex, grep, and gcore, were introduced during the hands-on explorations to access protected 
data, recover corrupted or deleted documents, and view otherwise unreadable files. In addition, 
students learned to hide a message, image, or video within the code of another file through a 
steganography process. In the fourth project, students learned to input passwords into a hashing 
algorithm to disguise them from attackers. Built on the four-week summer training, students 
were able to crack approximate 60% of the password hashes. The poster presentations are 
included in Appendix 1 to show a broad spectrum of IA inquires. It is clear that students have 
gained learning experiences that are not otherwise available from the existing high school 
curriculum. 


Table 4: Poster Presentations from the REVS-UP Component of MIAEO 


2013 

2014 

2015 

1. Crack Me If You 

Can: Using GPU 
Machines to 

Crack Passwords 

2. Defense Against 

Human Hacking 

3. Zero Knowledge, 

We Know Everything! 

4. Elliptic Enigma 

5. Factor Fiction 

1. Network Scanning 

2. Bitcoin and the SHA-256 

Hashing Function 

3. Integer Factorization 

Problem: An Attack on 
the RSA Public-Key 

Encryption Scheme 

4. How Secure is Your Password? 
GPU Password Cracking 

5. Hacking the Human Element 

1. E-cash: The 
Transition to 
Paperless 

Currency 

2. The Enigma 
Machine 

3. Digital Crime 
Scenes 

4. Cracking 
Password Hashes 
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While intellectual merits have been maintained in these REVS-UP projects, it is worth 
noting the decrease of median school ranking in the third year (see Table 3). Despite the 
involvement of more students from high-needs schools, students were well-engaged in the 
learning process, and unanimously decided to recommend this program in 2015 (Figure 1). The 
networking could have contributed to the development of student consensus. 


Would you recommend this activity to your friends and classmates? 

3 = Yes. 2 = Uncertain, 1 = No 



0 12 3 


Willingness to Recommend the Activity 

Figure 1. Trend of Program Recommendation from REVS-UP Participants. 


3. What is the impact of this summer bridge program on key stakeholders? 

Without involvement of K-12 teachers in the third year, key beneficiaries of REVS-UP 
have been delimited to high school students and university student assistants. Selection of high 
school students was handled by a REVS-UP panel that supported the four-week summer training 
since 2007. The track record has demonstrated consistent inclusion of quality candidates with 
GPA above 3.5. 

Prior to the REVS-UP session, students had a chance to indicate their agreement to a 
statement, “I am interested in cryptography”. The outcome was measured on a five-point scale 
(l=strongly disagree, ... 5=strongly agree). Although more students came from high-needs 
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schools in the third year, the interest level did not drop in comparison to the result from the 
second year (Figure 2). More importantly, the gender gap was narrowed to almost zero, which 
fit MIAEO’s objective of eliminating disparity of student interest (see Project Summary for 
Grant No. DUE - 1241636). In Figure 2, it should be noted that the higher interest in 2013 was 
largely expected because MIAEO was treated as a new offering. A female student confirmed 
the new program impression in her 2013 survey responses. 


PreQ6: I am interested in cryptography 


PreQ6 
4.3 

4.2 

4.1 

4.0 

3.9 

3.8 

3.7 

3.6 

3.5 

Figure 2. Trend of Student Interest in Cryptography 



The impact of MIAEO is further indicated by more assessment data from the third year. 
Figure 3 shows that students become more interested in attending college, cryptography, and 
cyber security due to the program impact. 

While high school students remain at an initial stage to develop academic interest, the 
four university student assistants have already entered the IA pipeline for professional training. 
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With MIAEO funding from NSF, these students collaborated with professors to enhance their 
subject competency. As a result, one student tied at the first rank in the national ERN 2014 
poster competition for Computer Science, and was rated at the first place during the 2014 CSUB 
Student Research Competition for Computer Science. Another student achieved the first place in 
the 2015 CSUB Student Research Poster Competition. The third student was recognized as the 
2015 outstanding graduating senior in research by School of Natural Sciences and Mathematics 
at CSUB. The fourth student has entered a Master’s program in National Security while 
accumulating experiences in cybersecurity consulting. Internships in information security have 
been offered to two of the students in summer, 2015. Altogether four student assistants have 
demonstrated academic excellence in this funding period, which met an important expectation in 
the original MIAEO proposal, i.e., “The unique, multidisciplinary curriculum will produce well- 
rounded graduates who will be excellent candidates for careers in federal and local agencies” (p. 
1 of Project Summary for Grant No. DUE - 1241636). 


Impact of the Activity on Student Interest 

5=much more interested. 4=more interested. 3=no effect, 2=less interested, 1=much less interested 


Interest 


Attending_college 


Cryptography 


Cyber_Security 



2 3 

Change of Interest 


, Average 
Responses 


4.167 


3.833 


4.167 


Figure 3. Program Impact on Academic Interest of REVS-UP Participants 


In summary, REVS-UP created a teamwork opportunity for both high school students 
and university student assistants. The benefit was not only reflected on IA career training at the 
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college level, but also supported recognition of high school students on the college bound. One 
of the high school participants was highlighted online by local news media prior to her college 
entry (see http://www.bakersfield.com/BakersfieldLife/2015/05/29/High-School-Senior-Ebony- 
Turner.html). 

4. How much has been done through the Dissemination Workshop to support IA 
education for K-12 teachers? 

It was acknowledged in the original grant proposal that “Another key area for 
information assurance outreach is general education of the local community and the region as a 
whole” (see Project Summary for Grant No. DUE - 1241636). Over the past three years, 
transition occurred in the approaches between “giving fish” and “teaching fishing”. Initially, a 
Cyber Security Panel Discussion was held for the public in 2013 to strengthen community 
engagement in IA education. 

Unlike the mathematics and science parts of the STEM field, no specific courses are 
designated for technology and engineering subjects in compulsory education. The IA 
knowledge update also occurred fast, which made it impossible to retain the routine course 
offerings. MIAEO was quick at adapting to the strong need for “teaching fishing”, and 
implemented the first Dissemination Workshop on August 1, 2014 to introduce REVS-UP 
projects to K-12 teachers. The workshop for the third year occurred on July 31, 2015. 



Figure 4. Teachers’ Preferred Times for Cybersecurity Training 
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To fit teacher schedule, new data were gathered to survey teacher availability. Figure 4 
showed that 73.53% of the responses supported the workshop offering during summer months of 
June, July, and August. In addition, the outreach effort was extended to K-12 school settings. 
The involvement of lower grade levels was based on fact that children started using technology 
tools, such as iPads and computers, prior to high school years. Nonetheless, the need seemed to 
became stronger at the high school level because cyberspace learning “helped engage students, 
cut down on paper, and allowed absent students to keep up with classwork” (Koebler, 2011, p. 
2). The variation of service demand across grade levels is in agreement with the distribution of 
30 teacher participants in the workshop setting (Figure 5). 





■ K to 3rd 

2 j 

■ 4th to 6th 

1 

■ Middle School 


■ High School 


Figure 5. Teaching Levels of the Workshop Participants in 2015. 


The teacher engagement has also been indicated by retention half of the past attendees in 
the Dissemination Workshop for the third year. In addition to sharing new projects from REVS- 
UP explorations, special attention was given to the returning attendees to assess the impact from 
their past learning experiences. With the final year support from NSF, attendees were guided to 
discuss future directions of K-12 cybersecurity education. The workshop agenda is listed in 


Table 5. 
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Table 5: Agenda of the 2015 Dissemination Workshop 


9:30am 

Room is open for early arrivals 

10:00-10:15am 

Welcome remarks and Introductions 

10:15-11:00am 

Discussion with returning attendees from 2014 workshop 

1 l:00-Noon 

Materials from REVS-UP sections 

Noon-1:00pm 

Working lunch: 

Break into small groups to discuss materials 

REVS-UP survey results poster on display 

1:00-1:45pm 

Report back from groups and Discuss results from REVS-UP surveys 

l:45-2:45pm 

Future directions for K-12 cybersecurity activities 

2:45-3:00pm 

Attendee surveys and turn in completed stipend paperwork 


In summary, preparations have been made for participating teachers of the Dissemination 
Workshop to sustain the impact of IA education in K-12 settings. The impact on teachers may 
help strengthen the technology and engineering components of STEM instruction at the level of 
compulsory education. 


5. How well did the program perform in service delivery? 

Outcomes of the service delivery are reflected by depth of learning among the workshop 
participants. According to Bloom’s taxonomy, the lowest level of learning is confined in fact 
remembering and the highest level involves a component of creation (Figure 6). 



Figure 6. Revised Bloom’s Taxonomy (Wilson, 2013). 
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In addition to passing on new information from REVS-UP poster presentation, the 
workshop guided its participants to consider creating cybersecurity activities in after-school 
settings. As a result, 22 out of 30 teachers clearly expressed their interest in after-school 
activities (see Figure 7). 



Figure 7. Participant Willingness to Create Cybersecurity After-School Activities in 2015 


More specifically, participants indicated choices of different activities, and Cyber Patriot was 
selected by most teachers (Figure 8). 



Figure 8. Teacher’s Choice of Cyber Security Activities. 
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The activities identified from the survey instrument were backed by supportive comments 
from teachers, such as the following: 

Competition, education and the ability to elevate student interests above online gaming. 

It would be great to expose my students to this to give them an experience they have 
never had. 

Opportunities for students to get involved in something so relevant. 

Our students today are interested in technology and this would be a great activity to teach 
students about cyber security. 

I work with Elementary school age students who need exposure to diverse fields. It 
looks like a good way to build excitement about a STEM career 

Exposing HS students to cybersecurity would open doors to new interests as well as 
possible higher education and employment opportunities. 

In combination, the results show effective engagement of K-12 teachers in IA education. 
In the end, the depth of learning was not confined in remembering what was done in REVS-UP 
poster presentations. On the contrary, teachers were led to consider creating new activities, such 
as Cyber Patriot, at the level of compulsory education. 

6. Is anyone better off due to this outreach effort? 

Teacher participants had a chance to identify the most beneficial aspects of the 
Dissemination Workshop. Most of them indicated that they benefited from “Review on 
password safety”, “Basic cybersecurity info”, and “Ways in which I can make this topic relevant 
to my students and different career paths”. They were impressed by the latest development of 
learning camps, research competitions, and career potentials for students in IA education. 

The learning outcomes supported incorporation of the workshop materials in K-12 school 
settings. In addition to recognizing the importance of cyber security and password strength, the 
past workshop participants included “How to create a more secure password” in their lesson 
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plans and encouraged students to “look into cyber security as a major in college”. In 2015, the 
curriculum impact occurred with 10 out of the 15 workshop participants from last year, and all 
30 workshop participants indicated their desire to attend future cybersecurity training at CSUB 
(Figure 9). 


30 



Figure 9. Impact of the Dissemination Workshop on Teachers 

In conclusion, MIAEO has offered REVS-UP training to develop academic and career 
interest in information assurance for high school students. CSUB student assistants received 
support from this grant to continue their education and career paths in the cyber security field. 
The community outreach effort has raised awareness of information assurance in K-12 school 
settings. 


Future Direction 

Over the past three years, California State University, Bakersfield (CSUB) received NSF 
funding to support hands-on explorations in network security and cryptography during a four- 
week summer session. The research process also involved CSUB student assistants and 
professors in charge of developing a new curriculum in IA education. The product was 
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represented by poster presentations for the Dissemination Workshop in the community. To 
sustain the coherent articulation across different IA education components in MIAEO, future 
directions are examined in this report to support student learning beyond the period of NSF 
funding. 

Before incorporation of MIAEO, REVS-UP offered hands-on research experiences in 
STEM fields for high school students since 2007. Each year, REVS-UP invited news media to 
announce the summer learning opportunity in an opening reception. In 2013 and 2014, REVS- 
UP also contributed $200 per high school student to amend a compensation gap between MIAEO 
and other STEM exploration projects. Using this existing platform has saved MIAEO budget for 
program advertisement, student screening, and summer session scheduling. The REVS-UP 
setting allowed high school students to receive five units of college-level science credit for 
participating in MIAEO explorations. These supports were covered by private funding from the 
Chevron Cooperation, and strengthened NSF funding outcomes. 

While acknowledging these advantages, it is worth noting that REVS-UP is not stagnant 
platform. To cope with the increase of local demand, three adjustments have been made by 
REVS-UP that impacted MIAEO operation in the third year: 

(1) No high school teachers were invited as team members to support the REVS-UP 
exploration; 

(2) No freshman students from local high school were allowed to apply for REVS-UP 
participation; 

(3) Students were discouraged from participating in REVS-UP explorations on the same 
research track. 


These changes seemed necessary under the reduced budget for REVS-UP. 
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Although MIAEO was not funded by Chevron, the contextual change inevitably altered 
the outcome of its participant selection. For instance, the P.I. of MIAEO noted that “I found out 
during introductions today that almost the entire group are seniors who just finished high school. 
I know that was the direction REVS-UP was taking as a whole, but I had asked for more 
lOth/llth grade students to keep the demographics similar to the past two years” (personal 
communication on July 13, 2015). 

Besides the aspects of context and input, elimination of high school teachers also 
impacted the process and product phases of REVS-UP service delivery. Regarding the merit of 
teacher involvement, the REVS-UP Director noted that “We re-vitalize their interest in science 
and give them ideas for hands-on projects and experiences that they introduce in their 
classrooms. Teachers are very excited about this opportunity and have already included many of 
their experiences into the classroom” (https://www.csub.edu/insideCSUB/cc/andreas_gebauer. 
shtml). 

Prior to the Chevron sponsorship, REVS-UP was originated from a NSF grant in 
geoscience (NSF Grant No. GEO 0303324). The recent changes in REVS-UP need to be 
examined for following reasons: 

(1) Since MIAEO includes a Dissemination Workshop for teachers, involvement of high 
school teachers in REVS-UP may help make poster presentations more relevant to the 
workshop attendees; 

(2) Based on the evaluator’s interview notes from August 2015, high school teachers 
indicated the needs of engaging younger students in IA education. However, REVS-UP 
made a decision to only admit older students above the freshman level; 
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(3) Since IA education never occurred as key STEM component in K-12 curricula, teachers 
suggested the “dosage” increase by inviting students to continue REVS-UP explorations 
across multiple years. The past records showed completion of different research projects 
each year (see Table 4), which could support the “dosage” accumulation. 

The examination of MIAEO connection with REVS-UP may help clarify the need of 
continuing the “one size fit all” approach in the future direction. In particular, MIAEO may need 
to reverse the REVS-UP change in 2015 by encouraging students to continue engagement in IA 
explorations across multiple years. 
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Appendix 1: Poster Presentations of Five IA Research Projects 


1. E-cash: The Transition to Paperless Currency 
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What is E-cash? 

Created in 1990 by David Chaum, E-cash is an electronic 
payment scheme with similar properties to physical currency. It 
uses advanced cryptographic principles to hide the identity of 
the users and their spending habits. E-cash has been 
implemented in certain parts of Europe. Australia, and South 
Africa due to the lack of credit cards in these regions. This form 
of payment removes the need for a middleman (i.e. a bank) in a 
transaction. E-cash has the potential to be the currency of the 
future, [3] 

E-cash Benefits 

• Anonymity/Privacy 

• No transaction fees 

• Transcends national currencies 

• Easily transferable 

• Change no longer necessary 

E-cash Drawbacks 

• Can’t use system without internet access 

• Anonymity may lead to illegal activities 

• Money laundering 

• Double spending 

• Tax evasion 

• Costly to implement software [5] 

Protocol Source Code 



$35 * 1 * 



Transaction Process 

In a typical E-cash transaction, there are three participants: a 
trusted third party, a merchant, and a customer. The process is 
detailed in the flowchart below. The algorithm it follows 
allows for secure minting of an E-coin but prevents double¬ 
spending by tracing back the variables used by the consumer to 
make the actual coin. [4] 


Bank: Creates n = p ■ q forp.q prime and k € Z* 
^ Alice: Creates (a,,r,,d,,c,) for 1 < i < k mod n 
Alice: fl, = r, 3 ■ f{x„yi) mod n 

Bank: r, • mod n 

Alice: Calculates C, = f(x t , y t ) ,/3 mod n 
J Alice: k = (x„C,) 


I 



RSA-based Algorithm 

Untraceable Cash Protocol 

Bank publishes an integer n which is the product of two sufficiently large primes p and q 
n = generalePubltcKey(pnmeDlgltCount) 
and a sufficiently large integer k 

k == genera teftnndom/nlegerfdigitCount) 

Alice Obtains an Electronic Coin 

Alice generates strings a,-, r„ c„ and d, with length i where 1 S i S k independently and uniformly and 
random from residues mod n 

a — generateRandamKey(n, k, I) r s= generateRandomKey(n, k, i) 

c = generateRandomKey{n, k.l ) d — generateRandomK ey(n, k,t) 

Alice generates and sends to the bank B, which consists of k blinded candidates 
B, = r,• f(.X{,yi) mod n for 1 < i £ k 

= a(a,.c,) y, = fl(a,©(u||(i> + i)),d f ) 

and f and g are any suitable one-way function. 

The bank then chooses a random subset of k/2 blinded candidate indices R = {l ( ) 1 £ // £ * for 1 < / £ 
k/2 and transmits it to Alice. 

Alice displays the r„ a,, c,. and d, values Vi e R, where the bank confirms their values since u||(t> + i) Is 
known to the bank. 

The bank gives Alice 


0 "'“ 
te bank als 

C = f| ft,Xi.yO ir> mod n 


J Alice Pays Bob With the Electronic Coin 

:e sends C to Bob. 

I Bob chooses a binary string z, ,z ; ,.... i k/i 
I Alice responds as follows for all 1 < i < k/2 

If z, = 1, then Alice sends Bob a<, c,, and yj. 

If Z; = 0, then Alice sends Bob .v ( ,a,©(u|Ki> + f)) and d t . 

I Bob verifies that C is of the proper form and that Alice's response fits C 
| Bob later sends C and Alice's response to the bank, which verifies their correctness and credits his account. 


Blind Signatures 



Blind signatures are a form of digital 
signature that utilizes RSA encryption 
to disguise a message before it is 
verified. When the consumer uses a 
“blind signature", the bank can’t link 
withdrawals and deposits. This blind 
signature allows the bank to verify a 
message without actually reading it. 

[1] This idea was first implemented by 
David Chaum and is based upon RSA 
encryption. [2] 

Double Spending 

“Double-spending" is the process of using an E-cash “coin" to 
purchase more than what currency amount is registered on the 
coin itself. Verification of E-cash is sometimes done after the 
transaction is made, allowing the consumer to “double-spend." 

A solution to this problem is to ensure the verification of the E- 
cash coin during the transaction process. If a coin is used more 
than once, the owner of the coin *s identity will be revealed and 
reviewed. [4] 

Conclusion 

E-cash is a versatile form of electronic currency. In contrast to 
gift cards, it doesn’t require a database to complete a 
transaction. As opposed to credit cards, it offers privacy for the 
user and eliminates transaction fees. Since credit cards have 
established a reputation of convenience and reliability amongst 
many countries, the implementation of E-cash will be a 
challenge. Despite its flaws, E-cash could become the next 
major payment scheme. 
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2. The Enigma Machine 
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How it all began? 

German engineer, Arthur Scherbius, invented one of 
the greatest electric mechanical cipher machines in 
the 1920s [5]. The enigma machine was envisioned 
for commercial use but instead it was commonly used 
for World War II. The machine allowed its operator to 
^■0 type a message, then randomized it using a cipher 
I I substitution system produced by variable rotors and 
an electronic circuit. Over the years German code 
experts modified the machine to make it more 
complex by adding plug boards and making it more 
transportable for war-time purposes. 

What is in it? 

Enigma contains rotors, plug boards, lamp panels, and reflectors[2]: 
* Rotors- When a character enters the rotor it causes the rotor 
to rotate one position forward, preventing the letter from 
encrypting into itself. Three rotors are chosen from five 
available rotors. 

r Plug boards- The machine contains 10 plugs allowing two 
different letters to exchange. 

r Reflectors- The reflector receives the input and reflects the 
electrical signal transmitting it back to the rotors. 
r Lamp boards- The electric signal arrives to the lamp board 
which lights up the enciphered character. 



Cryptog raphic Principles 

| The key sheet (shown below) is the private key which contains[2j: 

Walzenlagefroll location): choice 
and order of the wheels 
Ringsiellung(ring position): the 
position of the rotor wiring, relativi 
to the alphabet rings 
Steckerverbi ndungen( pi ug 
connections): the plug connections 
on the plug board 
Kenngruppcn( characteristic 
groups):groups to classify the key to 





lilllll 


the receiver 


eyto|| 


K N 

> It is a symmetric encryption scheme. 

r The machine is a polyalphabetic substitution cipher. 

r The secret key for the scheme is in how you set the machine up. 

*■ The machines have to be identically set up in each session, for 
correct communication. 

How many settings? 

The combinations of the different rotors, their order, their initial 
positions and the plug board help to increase the complexity or the 
size of the amount of possible configurations the machine can hold 




When considering the amount of permutations when choosing 5 oul 
of 3 rotors we have: 

( 3 ) = j; = 5 • 4 • 3 = 60 combinations 


Rotor Initial Position 

Since each rotor has 26 unique initial configurations, we have: 
26 X 26 x 26 x= 26 3 = 17,576 positions 


Plug board 

The plug board can connect up to ten pairs of letters w here no letter 

can connect to itself, we have: 

Q '(2 * “2 ... 2 ) 150.738,274.937.250 

combinations 

Therefore, the total amount of possibilities is approximately 
1.59 x 10 20 . 

Breaking the Unbreakable 

r Enigma machine was first broken by the Polish Cipher Bureau, 
including Marian Rejewki, Jerzy Rozycki, and Henryk 
Zygalki[4]. 

r Rejewki discovered that the wiring connections between the 
machine’s keyboard and encoding mechanism were in 
alphabetical order. He made his major breakthrough by 
formulating equations to match permutations in the settings of 
the machine. 

* Rejewki used theoretical mathematics to reverse engineer the 
devise and created numerous devices to break the ciphers. 


Bombe 


"\ 


> Alan Turing used an electro-mechanical 
device to assist in deciphering German’s 
secret communications[3]. 
r An electronic current would flow through the 
machine. In every wrong deduction or 
assumption made, the machine would “click”, 
indicating that it is incorrect and it would 
redirect to the next option. 
r Using process of elimination, an individual 
would check the remaining options. 
r Over 200 bombes were created but after the 
war all the original bombes were destroyed. 



Flaw? jnjhe. Machine 

^ A certain character could not be encrypted to itself [ 1 ]. 
r Operators reused keys that had been used before. 

^ Operators often used keys that were easily defined on the 
keyboard. 

r No rotor was allowed to be in the same position on consecutive 
days. 

r Plug board cables were not able to connect to itself. 

> The third rotor wheel hardly shifted position. 
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3. Digital Crime Scenes 
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What is digital forensics? 


Digital forensics involves the retrieving and analyzing of hidden or 
protected information in electronic devices. The processes it 
encompasses often involve investigating a crime scene or finding 
exploits in vulnerable systems to prevent such crimes. For example, 
an exploit was recently found in certain Chrysler vehicles that allowed 
attackers to have complete control over the car, even from a great 
distance, using wireless networks. 

Digital forensics usually includes three general steps: acquisition, 
extraction, and analysis. First we must gain access to and acquire the 
data, next we must extract the data we are looking for and put it into a 
readable format, and last we must analyze the data to make a 
conclusion about its significance. 

Before we can do any of this, however, we must first organize a 
toolkit to help us do each of these steps. The toolkit allows us to 
access protected data, recover corrupted or deleted files, and view 
otherwise unreadable files, which is related to the acquisition and 
extraction steps. A danger with using tools that are already on 
whatever device you are accessing is that they may have been 
tampered with to provide false or misleading evidence. Because of 
this we put a toolkit together before hand with whatever we may need 
and then load it onto the device we are accessing. The tools we used 
in our project included: virtual machines, live CDs, Sleuthkit, WinHex, 
grep, and gcore. 


Tools 


• Virtual Machines - Allow us to simulate operating systems and 
safely use different tools and programs without the risk of damaging 
the machine we are working on. 



• Sleuthkit - A set of tools that allows us to analyze disk images and 
recover files from them, even ones that have been deleted or 
corrupted. 


• Live CDs - If a computer requires some kind of security key to 
access, we can boot the computer from our live CD and access the 
contents of the hard drive, bypassing the needed user credentials. 
Below are the contents of a Windows computer accessed through a 
Linux live CD. 



• WinHex - If a file is corrupted and unreadable, WinHex can analyze 
its data distribution and help determine what kind of file it is, thereby 
allowing us to reconstruct the file so it becomes readable again. 


Steaanoaraphv 


Steganography is the practice of hiding a message, image, or video 
within the code of another file. This embedding process allows for the 
concealing of important or perhaps incriminating information such as the 
credentials to a company's database or the plans for criminal activity. 
Sometimes these hidden messages can leave “artifacts" or small 
distortions in the image. Searching through a file or an image for hidden 
information is a common step for analysis within Digital Forensics. See if 
you can spot the artifact in the image below. 




• gcore - A utility in the Linux terminal which is designed to dump or 
copy system memory to a console, text, or binary file. This is one of 
the many methods used to obtain a user's credentials or recover 
volatile data. While this output file can be quite lengthy, a simple 
search can reveal desired information easily, as shown below with a 
search for a phrase such as “password-' 


username=mstevens& mypass&testcookies=l 

studentgstudent-virtual-Machine | 


Even text files can have a completely different message hidden 
underneath. Microsoft Word is infamous for not actually deleting content 
that the user thought was deleted. 




REFERENCES 

Winhex - http://www.winhex.com/winhex/ 
Virtual Machine - https://www.vmware.com/ 
Sleuthkit - http://www.sleuthkit.org / 
Bless Hex Editor - http://home.qna,orq/bless/ 
Linux Mint - http://www.linuxmint.com/ 





























































33 


4. Cracking Password Hashes 
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CPU v.s. GPU 



The Central Processing Unit (CPU), more commonly known as 
simply the processor, handles all arithmetic and logical operations. 
The CPU essentially performs as the brain of the computer, 
synchronizing and performing tasks and instructions. The average 
CPU will have 4-8 cores, and generally a greater number of cores 
increases the amount of instructions that can be executed 
simultaneously. 

Computers equipped with a Graphics Card can take advantage of 
a Graphics Processing Unit (GPU), a processor optimized 
specifically for rendering images to the screen. A GPU can contain 
hundreds of times more cores than a CPU, allowing a GPU to 
handle much larger volumes of arithmetic functions in parallel. 
ocIHashcat takes advantage of this increased throughput to process 
large numbers of password hashes very quickly. ocIHashcat: http: 
//hashcat.net/oclhashcat/ 
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Password 

Complexities 

Some examples of how many passwords can be created 
with some simple parameters 



Combinations 

Possible Passwords 

6 digits 

15x15x15x15x15x15 

10 6 = 1,000,000 

6 symbols 

35x35x35x25x35x35 

35 6 = 1.838,265,625 

6 lowercase 

26x26x25x25x25x25 

26 s = 1,073,741,824 

6 characters 

9Z x 9Z x 9Z x 9Z x 9Z x 97 

97 6 = 689,869,781,056 


Straight 


Combination 


Hybrid 


MD5 


38,300.2 


20,900.7 


SHA1 


10391.4 


SHA256 


79693.4 


SHA512 


20798.8 


Components Used In Attacks: 

Large, diet 

common _passwords.dict 

?a?a?a?a?a 

?l?l?l?l?l 


869,232 lines 
3,557 lines 

8,587,340,257 combinations 
11,881,376 combinations 


Attacks: 

Straight: 
Combination: 
Brute Force: 
Hybrid: 


Large, diet 

Large.dict x common_passwords.dict 

?a?a?a?a?a 

Large.dict x ?/?/?/?/?/ 
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Bakersfield 
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Hashing Algorithms 

A password hash is the product of inputting a password into a 
hashing algorithm. The resulting hash is a seemingly random 
collection of numbers and letters that represent your encrypted 
password, disguising it from an attacker. A hashing algorithm cannot 
be reversed, and the stronger the hashing method, the longer it takes 
to produce a hash. 

Due to the fact that hashing algorithms cannot be reversed, the 
algorithm itself isn't what we are cracking. In fact, many popular 
hashing algorithms are available to the public. In order to crack a 
password, thousands of trial passwords must be generated, hashed, 
and compared to the original hash. If a match is found, you have 
successfully cracked the password. 

deeff28314d9ae4ed262cfc6f35e5153 
C4d4d037d7d0a05e8f526dl8aa25fb5e 
01545fa976c8367b4f0d59169ac4866c 
08d25bf879e353686a974b7bl4ae7d81 
119cb63b48c9al8f31f417f09655efbd 
a4fcl5313ef2a516bfbf33ce44231535 
Ca2531b8cd79ea5b778ede3a524779b9 
3aal4cal3d52df070870d39306f4a4eb 
b31731ea6cdbebeld02f8193db420886 

Some example attacks and their performance 
in terms of kHashes/sec 


Tips for safe passwords 

Short randomized phrases are easy to remember, but still very secure 

Don't follow patterns that are commonly used 

Don't use the same password for multiple sites or accounts 

Always use two factor authentication if given the option 

Use a variety of symbols and numbers 


Cracking Test Passwords 



Hash " Salt Password 

The test started with 16 students creating 3 passwords of varying 
strength: easy, medium, and strong. 52 more passwords were then 
randomly generated using numbers and dictionary words to end with a 
total of 100. The passwords were then hashed and given to us to try to 
crack using the different attacks available with ocIHashcat. 

• Given the limited resources available to us in the project, simpler, 
more efficient attacks had to be used. 

• Some of the passwords were just too long and random to crack given 
these restrictions. 

• We were able to crack 59% of the password hashes we were given. 


qwerty 

simply cracked with a dictionary attack 

Password 

cracked with a hybrid attack: ?u large.dict 

apple123 

cracked with a hybrid attack: large.dict ?d?d?d 


Not Cracked Examples 


32WaterFISH7239 


10gwr2dv3 


23571113171923293137 


Both 15 characters long and has a mix of 
lowercase, uppercase, and digits 


Random enough to need a mask of 9 
characters 


Password seems simple, but it could take 
10 20 combinations to find 




















































































